chrismaddalena/adm_user_sessions.py

## adm_user_sessions.py
##########################################################################################
#                                                                                        #
# Locate accounts with a specific suffix or prefix and fetch their regular accounts      #
# to identify user sessions for both accounts. Then output a JSON file that details      #
# session data for these accounts.                                                       #
#                                                                                        #
# Useful if you are looking for computers used by the target users.                      #
#                                                                                        #
##########################################################################################


import json

from neo4j import GraphDatabase


driver = GraphDatabase.driver("bolt://127.0.0.1:7687", auth=("neo4j", "password"))
session = driver.session()

counter = 0
admin_users = {}

# Get all users with `-ADM` suffix
query = """
MATCH (u:User) WHERE u.name =~ ".*-ADM@.*"
RETURN u.name AS name
"""
results = session.run(query)

for user in results:
    # Store the `-ADM` username
    adm_username = user["name"]
    # Drop the `-ADM` to get their regular accounts
    username = user["name"].replace("-ADM@", "@")

    # Get all sessions and computers for these accounts
    query = """
    MATCH (u:User {name:"%s"})-[:HasSession]->(c:Computer) RETURN c.name AS name
    """ % username
    reg_results = session.run(query)
    reg_sessions = [record["name"] for record in reg_results]

    query = """
    MATCH (u:User {name:"%s"})-[:HasSession]->(c:Computer) RETURN c.name AS name
    """ % adm_username
    adm_results = session.run(query)
    adm_sessions = [record["name"] for record in adm_results]

    admin = False
    adm_sessions = []

    query = """
    MATCH (u:User {name:"%s"}) RETURN u.name AS name
    """ % adm_username
    adm_results = list(session.run(query))

    if adm_results:
        admin = True
        query = """
        MATCH (u:User {name:"%s"})-[:HasSession]->(c:Computer) RETURN c.name AS name
        """ % adm_username
        adm_results = session.run(query)
        adm_sessions = [record["name"] for record in adm_results]
    else:
        adm_username = ""

    if reg_sessions or adm_sessions:
        admin_users[counter] = {}
        admin_users[counter]["reg"] = username
        admin_users[counter]["sessions"] = reg_sessions
        admin_users[counter]["adm"] = adm_username
        admin_users[counter]["adm_sessions"] = adm_sessions
        admin_users[counter]["admin"] = admin
        admin_users[counter]["adm"] = adm_username
        admin_users[counter]["adm_sessions"] = adm_sessions

        counter += 1

# Clean up neo4j session
session.close()
driver.close()

with open("admin_users.json", "w") as f:
    f.write(json.dumps(admin_users, indent=4))
	##########################################################################################
	# #
	# Locate accounts with a specific suffix or prefix and fetch their regular accounts #
	# to identify user sessions for both accounts. Then output a JSON file that details #
	# session data for these accounts. #
	# #
	# Useful if you are looking for computers used by the target users. #
	# #
	##########################################################################################


	import json

	from neo4j import GraphDatabase


	driver = GraphDatabase.driver("bolt://127.0.0.1:7687", auth=("neo4j", "password"))
	session = driver.session()

	counter = 0
	admin_users = {}

	# Get all users with `-ADM` suffix
	query = """
	MATCH (u:User) WHERE u.name =~ ".-ADM@."
	RETURN u.name AS name
	"""
	results = session.run(query)

	for user in results:
	# Store the `-ADM` username
	adm_username = user["name"]
	# Drop the `-ADM` to get their regular accounts
	username = user["name"].replace("-ADM@", "@")

	# Get all sessions and computers for these accounts
	query = """
	MATCH (u:User {name:"%s"})-[:HasSession]->(c:Computer) RETURN c.name AS name
	""" % username
	reg_results = session.run(query)
	reg_sessions = [record["name"] for record in reg_results]

	query = """
	MATCH (u:User {name:"%s"})-[:HasSession]->(c:Computer) RETURN c.name AS name
	""" % adm_username
	adm_results = session.run(query)
	adm_sessions = [record["name"] for record in adm_results]

	admin = False
	adm_sessions = []

	query = """
	MATCH (u:User {name:"%s"}) RETURN u.name AS name
	""" % adm_username
	adm_results = list(session.run(query))

	if adm_results:
	admin = True
	query = """
	MATCH (u:User {name:"%s"})-[:HasSession]->(c:Computer) RETURN c.name AS name
	""" % adm_username
	adm_results = session.run(query)
	adm_sessions = [record["name"] for record in adm_results]
	else:
	adm_username = ""

	if reg_sessions or adm_sessions:
	admin_users[counter] = {}
	admin_users[counter]["reg"] = username
	admin_users[counter]["sessions"] = reg_sessions
	admin_users[counter]["adm"] = adm_username
	admin_users[counter]["adm_sessions"] = adm_sessions
	admin_users[counter]["admin"] = admin
	admin_users[counter]["adm"] = adm_username
	admin_users[counter]["adm_sessions"] = adm_sessions

	counter += 1

	# Clean up neo4j session
	session.close()
	driver.close()

	with open("admin_users.json", "w") as f:
	f.write(json.dumps(admin_users, indent=4))